CVE-2019-12702

LOW

Description

A vulnerability in the web-based management interface of Cisco SPA100 Series Analog Telephone Adapters (ATAs) could allow an authenticated, remote attacker to conduct cross-site scripting attacks. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of the affected software. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.

References

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191016-spa-reflected-xss

Details

Source: MITRE

Published: 2019-10-16

Updated: 2019-10-21

Type: CWE-79

Risk Information

CVSS v2.0

Base Score: 3.5

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 6.8

Severity: LOW

CVSS v3.0

Base Score: 5.4

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.3

Severity: MEDIUM

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:o:cisco:spa112_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:cisco:spa112_firmware:1.4.1:-:*:*:*:*:*:*

cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr1:*:*:*:*:*:*

cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr2:*:*:*:*:*:*

cpe:2.3:o:cisco:spa112_firmware:1.4.1:sr3:*:*:*:*:*:*

OR

cpe:2.3:h:cisco:spa112:-:*:*:*:*:*:*:*

Configuration 2

AND

OR

cpe:2.3:o:cisco:spa122_firmware:*:*:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:-:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr1:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr2:*:*:*:*:*:*

cpe:2.3:o:cisco:spa122_firmware:1.4.1:sr3:*:*:*:*:*:*

OR

cpe:2.3:h:cisco:spa122:-:*:*:*:*:*:*:*